flash

astx_setup.exe

Status: finished
Submission Time: 2022-11-28 13:39:49 +01:00
Suspicious
Ransomware
Trojan
Evader
GuLoader

Comments

Tags

Details

  • Analysis ID:
    755221
  • API (Web) ID:
    1122497
  • Analysis Started:
    2022-11-28 13:39:54 +01:00
  • Analysis Finished:
    2022-11-28 13:53:55 +01:00
  • MD5:
    7dd75b2c2e214c0347df3dc137161b19
  • SHA1:
    072a03d9279d3ecbdb5a76c70a862a75fb50d95b
  • SHA256:
    06f360d2a25c75619cb769f56ced75d3d92cd339cb3ec2e3aa9c642ba6f3158f
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 91, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)

suspicious
34/100

Domains

Name IP Detection
webclinic.ahnlab.com.cdngc.net
101.79.212.66
gms.wip.ahnlab.com
34.249.110.217
webclinic.ahnlab.com
0.0.0.0
Click to see the 1 hidden entries
gms.ahnlab.com
0.0.0.0

URLs

Name Detection
http://www.phreedom.org/md5)0
http://%1/CertEnroll/%3%8%9.crlfile://
http://www.firmaprofesional.com/cps0
Click to see the 97 hidden entries
http://cps.chambersign.org/cps/chambersroot.html0
http://ocsp.entrust.net03
http://ocsp.sectigo.com0
http://fedir.comsign.co.il/crl/ComSignCA.crl0
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
http://www.aarongifford.com/
http://%1/CertEnroll/%1_%3%4.crtfile://
http://gladman.plushost.co.uk/oldsite/AES/index.php
http://crl.entrust.net/2048ca.crl0
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
http://wakaba.c3.cx/s/apps/unarchiver.html
https://www.netlock.net/docs
https://mgactivation.ahnlab.com/api/auth/v1/healthcheck
http://www.pkioverheid.nl/policies/root-policy-G20
http://www.openssl.org/)
http://www.firmaprofesional.com0
http://www.trustdst.com/certificates/policy/ACES-index.html0
https://github.com/wycats/handlebars.js
http://www.quovadis.bm0
http://www.info-zip.org/
http://www.7-zip.org/sdk.html
http://crl.xrampsecurity.com/XGCA.crl0
http://www.wavpack.com/
http://www.zlib.net/zlib_license.html
http://mattmahoney.net/dc/zpaq.html
http://cps.chambersign.org/cps/chambersignroot.html0
http://www.winace.com/
http://ocsp.entrust.net0D
https://ocsp.quovadisoffshore.com0
https://github.com/wycats/handlebars.js)
https://%1/CertEnroll/nsrev_%3.aspldap:///CN=%7%8
http://www.e-szigno.hu/SZSZ/0
https://gactivation.ahnlab.com/api/auth/v1/activate/client
http://www.valicert.com/1
https://seed.kisa.or.kr/iwt/ko/sup/EgovLeaInfo.do
http://crl.chambersign.org/chambersignroot.crl0
http://ncompress.sourceforge.net/
http://www.quovadisglobal.com/cps0
http://www.e-szigno.hu/RootCA.crt0
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://download.ahnlab.com/down/ahnreport/AhnRpt.exe
http://www.bzip.org/downloads.html
http://mozilla.org/MPL/2.0/.
http://crl.securetrust.com/STCA.crl0
https://code.bandisoft.com
http://tss-geotrust-crl.thawte.com/ThawteTimestampingCA.crl0
http://crl.securetrust.com/SGCA.crl0
https://mgactivation.ahnlab.com/api/auth/v1/activate/client
https://mgactivation.ahnlab.com/api/auth/v1/activate/relay
http://policy.camerfirma.com0
http://json.org/).
http://sourceforge.jp/projects/lha/
http://www.sk.ee/cps/0
http://www.disig.sk/ca/crl/ca_disig.crl0
http://www.certplus.com/CRL/class2.crl0
http://yuilibrary.com/license/
http://sourceforge.net/p/infozip/patches/18/
http://ca.disig.sk/ca/crl/ca_disig.crl0
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
http://www.phreedom.org/md5)MD5
http://ocsp.pki.gva.es0
https://jp.ahnlab.com/site/support/qna/qnaAddForm2.do;
http://www.info-zip.org/pub/infozip/license.html.
http://repository.swisssign.com/0
http://www.pkioverheid.nl/policies/root-policy0
http://www.diginotar.nl/cps/pkioverheid0
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
http://www.compression.ru/ds/
http://www.chambersign.org1
http://www.certifikat.dk/repository0
https://gactivation.ahnlab.com/api/auth/v1/activate/relay
http://crl.chambersign.org/chambersroot.crl0
http://acedicom.edicomgroup.com/doc0
http://www.sk.ee/juur/crl/0
http://www.symauth.com/rpa00
http://www.e-szigno.hu/RootCA.crl
http://www.disig.sk/ca0f
https://www.catcert.net/verarrel
http://site.icu-project.org/
http://www.entrust.net/CRL/net1.crl0
https://opensource.ahnlab.com
https://gactivation.ahnlab.com/api/auth/v1/healthcheck
https://code.bandisoft.com/
http://www.rarlab.com/rar_add.htm
http://mathiasbynens.be/
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
http://www.symauth.com/cps0(
http://broofa.com/
http://nsis.sf.net/NSIS_ErrorError
http://www.aescrypt.com/
http://javascript.nwbox.com/IEContentLoaded/)
https://mgactivation.ahnlab.com/api/auth/v1/activate/relayhttps://mgactivation.ahnlab.com/api/auth/v
http://crl.pki.wellsfargo.com/wsprca.crl0
http://www.certicamara.com/dpc/0Z
https://github.com/necolas/normalize.css/
http://crl.oces.certifikat.dk/oces.crl0
http://www.phreedom.org/md5)

Dropped files

Name File Type Hashes Detection
C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipsig.rul
data
#
C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\msg.dat
data
#
C:\Program Files\AhnLab\Safe Transaction\DB\defcfg.db
data
#
Click to see the 97 hidden entries
C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\geo.asd
data
#
C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\gof.dat
data
#
C:\Program Files\AhnLab\Safe Transaction\MFC90CHT.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MFC90ESN.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MFC90CHS.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\IAccessible2Proxy.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\HsbCtl.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\DefPly\starter_ply.ui
Microsoft Cabinet archive data, single, 326717 bytes, 1 file, at 0x44 +AX "starter_ply.html.new", flags 0x4, number 1, extra bytes 20 in head, 10 datablocks, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\DefPly\ply_ver.ui
Microsoft Cabinet archive data, single, 137 bytes, 1 file, at 0x44 +AX "ply_ver.html.new", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\DefPly\netizen_ply_default.ui
Microsoft Cabinet archive data, single, 7101 bytes, 1 file, at 0x44 +AX "netizen_ply_default.html.new", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\DefPly\extraopn_ply.ui
Microsoft Cabinet archive data, single, 90334 bytes, 1 file, at 0x44 +AX "extraopn_ply.html.new", flags 0x4, number 1, extra bytes 20 in head, 3 datablocks, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\DB\nzdefcfg.db
data
#
C:\Program Files\AhnLab\Safe Transaction\DB\nzcmncfg.db
data
#
C:\Program Files\AhnLab\Safe Transaction\DB\ipcntry.db
SQLite 3.x database, last written using SQLite version 3014002, file counter 2, database pages 1127, cookie 0x1, schema 4, UTF-8, version-valid-for 2
#
C:\Program Files\AhnLab\Safe Transaction\Core.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\ssl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\sqlite3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\smime3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssutil3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssdbm3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nssckbi.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\msvcr100.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\libcrypto-1_1-x64.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHT.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Nz32\MFC90CHS.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Nz32\IAccessible2Proxy32.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Nz32\HsbCtl32.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Nz32\AhnI2.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\NetRule\tnnipprt.rul
data
#
C:\Program Files\AhnLab\Safe Transaction\Microsoft.VC90.MFC.manifest
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2003), with CRLF line terminators
#
C:\Program Files\AhnLab\Safe Transaction\Microsoft.VC90.CRT.manifest
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
#
C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\wlist.asd
data
#
C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\uh.dat
data
#
C:\Program Files\AhnLab\Safe Transaction\MeD\Definition\mdp.scd
data
#
C:\Program Files\AhnLab\Safe Transaction\MFC90DEU.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcr90.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MUpdate2\msvcp90.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MUpdate2\Microsoft.VC90.CRT.manifest
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1506), with CRLF line terminators
#
C:\Program Files\AhnLab\Safe Transaction\MFC90KOR.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MFC90JPN.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MFC90ITA.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MFC90FRA.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MFC90ESP.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplds4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\MFC90ENU.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AHC\asdf.sld.ahc
Microsoft Cabinet archive data, single, 171 bytes, 1 file, at 0x44 +AX "asdf.sld.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\ASDSvc.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\ASDCr.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\ASDCli.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.sys
PE32+ executable (native) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.inf
Windows setup INFormation
#
C:\Program Files\AhnLab\Safe Transaction\AMonLWLH.cat
data
#
C:\Program Files\AhnLab\Safe Transaction\ALWFCtrl.Dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AKDVE.EXE
PE32+ executable (console) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AHC\product.dat.ahc
Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "product.dat.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\drvinfo.ini.ahc
Microsoft Cabinet archive data, single, 174 bytes, 1 file, at 0x44 +AX "drvinfo.ini.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\ckwcfg.dat.ahc
Microsoft Cabinet archive data, single, 173 bytes, 1 file, at 0x44 +AX "ckwcfg.dat.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\asdsr.dat.ahc
Microsoft Cabinet archive data, single, 172 bytes, 1 file, at 0x44 +AX "asdsr.dat.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\ASDUp.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcr90.dll.ahc
Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcr90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\X86\msvcp90.dll.ahc
Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcp90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcr90.dll.ahc
Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcr90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\X64\msvcp90.dll.ahc
Microsoft Cabinet archive data, single, 150 bytes, 1 file, at 0x44 +AX "msvcp90.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64lgplv2.dll.ahc
Microsoft Cabinet archive data, single, 178 bytes, 1 file, at 0x44 +AX "Ark64lgplv2.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64algplv2.dll.ahc
Microsoft Cabinet archive data, single, 179 bytes, 1 file, at 0x44 +AX "Ark64algplv2.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64a.dll.ahc
Microsoft Cabinet archive data, single, 173 bytes, 1 file, at 0x44 +AX "Ark64a.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\Ark64.dll.ahc
Microsoft Cabinet archive data, single, 172 bytes, 1 file, at 0x44 +AX "Ark64.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\Ark32lgplv2.dll.ahc
Microsoft Cabinet archive data, single, 178 bytes, 1 file, at 0x44 +AX "Ark32lgplv2.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHC\Ark32.dll.ahc
Microsoft Cabinet archive data, single, 172 bytes, 1 file, at 0x44 +AX "Ark32.dll.ahf", flags 0x4, number 1, extra bytes 20 in head, 1 datablock, 0 compression
#
C:\Program Files\AhnLab\Safe Transaction\AHAWKENT.SYS
PE32+ executable (native) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\BldInfo.ini
ASCII text, with CRLF line terminators
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libplc4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\libnspr4.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\nss\certutil.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\certutil_.exe
PE32 executable (console) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\certadm.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Cert\ca2.der
Certificate, Version=3, Serial=009c786262fd7479bd, not-valid-before=2015-06-18 04:03:24 GMT, not-valid-after=2038-06-12 04:03:24 GMT
#
C:\Program Files\AhnLab\Safe Transaction\Cert\ca.der
Certificate, Version=3, Serial=00d01329e89a358cfe, not-valid-before=2015-06-18 04:03:23 GMT, not-valid-after=2038-06-12 04:03:23 GMT
#
C:\Program Files\AhnLab\Safe Transaction\Cert\astx.inf
Windows setup INFormation
#
C:\Program Files\AhnLab\Safe Transaction\CdmCtrl.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\CdmAPI.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\BtScnCtl.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AHAWKE.DLL
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Av.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AupASD.exe
PE32+ executable (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AtamptU.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Ark64lgplv2.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\Ark64.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AhnI2.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\AhnCtlKD.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\ATamptNt.sys
PE32+ executable (native) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\ATampt.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\ASDi.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
#
C:\Program Files\AhnLab\Safe Transaction\ASDWsc.exe
PE32+ executable (GUI) x86-64, for MS Windows
#